The Need for “Secure Payment Agent” (SPA)
In February 2009, the Identity Theft Resource Center (ITRC) conducted a survey seeking answers about consumer awareness of data exposure breaches, how they feel about the safety of their personal information when used online, as well as their level of interest in improving their online information safety. Our sample of 542 respondents was obtained by an independent research agency from the general population of consumers ages 30 to 55 who shop on-line at least once per month.
A sample of the survey questions and the statistical analysis:
Q. How concerned are you about the safety of your personal identifying and financial information when you send it over the Internet? (Choose the one answer that best describes how you feel).
Our survey respondents indicated that 84% were either “extremely concerned,” “very concerned,” or somewhat concerned” in answer to this question. Only 16% answered “not very concerned” or “not at all concerned”. Recent survey data shows that 90 to 95% of consumers are concerned about identity theft and consider it a “prime concern” . It is apparent that our targeted “online shopper” consumer group also shows an overwhelming concern about the safety and protection of their personal information when used for online activities and transactions.
Q. After you send your personal or financial information to websites, how comfortable are you with what happens to it?
The response to this question was just about evenly split on either end of the spectrum, with 21% “not at all comfortable” or “not very comfortable”, and 20% answering “very comfortable” or “extremely comfortable”. This would seem to indicate that consumers feel that the transmission of the information is more risky than the ultimate storage and protection of the information. The opposite is really the case, indicating a lack of awareness in our sample population of the very large “cloud” that hangs over the security of thousands of business and other databases, and the impact of theft, data exposure, or even sale of information. ITRC is in agreement with most experts that see data storage safety as a much larger problem than data transfer safety.
Q. How much need for improvement is there to protect the personal and financial information you give to websites from being stolen, breached, lost, or misused? (Choose the one answer that best describes how you feel).
The response to this question showed that 59% of our sample expressed a need for improvement in the protection of their data, with 26% indicating “a great deal of need for improvement” and 33% responding “a considerable need for improvement”. A “moderate need for improvement” was expressed by 35% of the surveyed population. That leaves only 6% of respondents feeling there was little or no need for improvement. It is apparent from these responses that the public has developed a high sensitivity to stolen, breached, lost, or misused data when it relates to their sensitive personal information.
Q. If there was a way to shop, make purchases, pay bills, or login to websites on the Internet without ever needing to give any of your personal or financial information, how much would that interest you? (Choose the one answer that best describes how you feel).
Our sample of consumers answered this question in almost the same magnitude as they did in the need for improvement in the protection of their information by websites. Specifically, 96% were at least somewhat interested. Those “extremely interested” or “very interested” represented 68% of the poll takers. Those “not very interested” or “not at all interested” totaled only 4% of responses.
What’s driving the high level of consumer fear about their personal information?
The root problem, and the cause of this consumer fear, is that our standard way of completing most business transactions is for the consumer to provide to the merchant a significant array of personal information (which could be warehoused in large databases, sold, or exchanged with other databases). In doing so the consumer loses control of the data.
The merchant does have a need to be assured of the identity of the consumer, and his ability to pay for the transaction. This is the driving force for collecting this massive amount of data. Although marketing needs for the data is also a business need, the primary need is in knowing that the business will be paid for the products delivered.
A solution to this problem would be a method which authenticates a transaction, ensures payment, yet does not disrupt the purchase (and confirmation messaging). This method would remove most of the driving force for online collection of massive amounts of sensitive personal information. Please note that the current method of transacting business also makes the merchant responsible for protection of that personal data. This liability is increasingly costly in this day of data breaches. This leads us to a discussion of data exposure and data breaches.
Consumer Awareness of Data Breaches
The Identity Theft Resource Center (ITRC) has been tracking and publishing the ITRC Breach List for more than 4 years. It is very cognizant of the problems breaches can cause for consumers and businesses alike. In our survey, 70% of respondents reported being aware of data breaches occurring in the recent past.
Let’s look at some of the numbers to get a feel for the size of the problem. Reports of data breaches increased dramatically in 2008. The ITRC’s 2008 breach report reached 656 breaches in 2008, reflecting an alarming 47% increase over 2007. The number of records reported exposed in 2008 was over 35 million records. The reported number of records exposed in 2007 was over 127 million. With that said, more than 40% of those companies who reported a breach in 2007 and 2008 did not publish the number of records involved. So, despite these very large numbers, we can be sure that the number of records exposed is severely under-reported in any given year.
We should also consider the cost of data breaches to business and other organizations (e.g. healthcare, education, government agencies). The 2009 Ponemon Institute’s annual study of data breaches (“Cost of Data Breach") concluded that the total cost of data breaches to businesses and organizations continued to rise in 2008 averaging $6.7 million per breach and $202 per record compromised. Fully 69% of this loss is attributed to “Lost Business.” As the study states, “Trust may be intangible and hard to quantify, but the result of breaking of that trust is clear as the cost of lost business represents 69% of the total cost of a data breach.”
What does this have to do with Identity Theft?
Identity Theft Incidence and Costs
In our ITRC Consumer Awareness Survey, 15% of our sample reported yes when asked “Have you ever been a victim of identity theft?” In addition, 20% of our poll indicated that they are currently enrolled in “an identity theft protection or prevention program or product”.
A recent poll by Javelin Research (The 2009 Identity Fraud Survey Report) indicates the incidence of identity theft in the U.S. in 2008 rose to 4.32%, or an estimated 9.9 million new victims. These are higher numbers than any of the previous 4 years. Javelin reports that 2008 identity fraud costs totaled $48 billion. The direct cost to victims of the frauds averaged $496 per incident in 2008. The total fraud cost was $4849, however. This cost (~$48 billion) will no doubt be passed on to the consumer.
No matter what the total costs may be to the victim, the financial costs of an incident are just the tip of the iceberg. The lives of identity theft victims can be disrupted for years.
Does Data Exposure lead directly to Identity Theft?
Now we are down to the key point. While there is no easy way to statistically tie identity theft incidence to data exposure incidence, anyone with experience in the identity theft field can relate many occasions when data exposure, by any number of means, resulted in identity theft. This approach is anecdotal, however, and not factual statistical evidence.
The plain truth is that identity thieves are difficult to catch, and more difficult to prosecute. The crime almost always extends across judicial boundaries, and is often international in scope. Unlike crimes prosecuted more seriously by law enforcement, the criminals are rarely put into a circumstance where they will tell us everything about what they did, how they did it, and who were their victims. So, providing direct evidence of a relationship between the two is not possible using publicly available data. It doesn’t take a statistician, however, to come to the understanding that “if my personal information is exposed, a chance is created that someone will use it against me.” ITRC won’t argue what “chance” means. Would you rather have your data exposed, or rather know that it cannot be exposed?
Personal Identifying Information (PII) online and reducing breach/identity theft risk:
A variety of industries have been working on pieces of the puzzle presented above, seeking ways to minimize the risk of data exposure, and developing a variety of different ways to accomplish secure transactions, and protection of personal identifying information (PII). ITRC has seen many different approaches to solutions aimed at lowering the risk of identity theft and fraud to both consumers and businesses. Many of these have been worthwhile and effective, but always for only a part of the overall puzzle. They invariably depend upon the consumer repeatedly passing some or all of his/her personal and/or financial information to a wide variety of business databases, where the consumer then loses control over how the data is managed or secured.
Recently we have become aware of a new product class that is emerging on the Internet, where consumers consistently give up a great deal of their personal information when transacting online or registering at websites. This new product class is substantially different and much broader in the scope of protection offered versus previous products, all of which have only attacked parts of the problem. We have designated this emerging class of products “Secure Payment Agents”.
A “Secure Payment Agent” as defined by ITRC allows the consumer to control the use of all their sensitive personal information whether shopping, paying bills online, or registering at websites. A Secure Payment Agent has the ability to replace all of the user’s real personal information with anonymous data that becomes useless after a transaction and cannot be traced back to the user. ITRC is also very interested in SPAs because they enable consumers to effectively deal with sophisticated fraudsters and thieves to whom they currently are vulnerable.
As noted earlier, the ITRC as well as other experts have long recognized that the ideal solution to online identity theft problem would be not transmitting personal information to websites at all. An ideal solution would be if you could shop, pay bills, or sign up at websites without ever giving out any personal information. No email addresses, passwords, phone numbers, billing information, credit card numbers, not even your name should be necessary.
What Is a Secure Payment Agent (SPA), and Who Should Be Interested?
ITRC in identifying this new and emerging category has brought with it a responsibility to clearly define what we view as recommended performance characteristics to qualify as a Secure Payment Agent. We have identified some of the prerequisites we believe Secure Payment Agent should include.
• Replaces the consumer’s real personal identifying and financial information with anonymous data that is untraceable back to the consumer
• Eliminates phishing both when visiting websites and receiving incoming email
• Verifies both consumer and device before allowing access to or use of the Secure Payment Agent
• Stores user data so it becomes useless if the Secure Payment Agent’s data base storage system is breached
• Merchants must be able to send, and consumers to receive, purchase/shipment confirmations without delay, extra steps or the use of supplemental devices.
• Authentication method must be “Multi-Authentication” using attributes of:
Who You Are
What You Have
What You Know
ITRC feels that the introduction of products that meet these Secure Payment Agent criteria will benefit consumers, businesses and other organizations by dramatically reducing the amount of personal information required for many business and consumer Internet transactions. Also, as this new technology gains popularity, it will lower the amount of personal information that is stored in myriad databases, thus reducing the liability of businesses to data exposure.
As noted by our survey question above, 96% of our respondents are at least “Moderately Interested” in a method that would embrace a more secure way of shopping online and over the telephone. ITRC concludes that both consumers and businesses will have a high level of interest in using Secure Payment Agents (SPAs).
About the ITRC
The Identity Theft Resource Center® (ITRC) is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem. Visit www.idtheftcenter.org . If you are a victim of identity theft, you can also reach them toll-free at 888-400-5530 (8am - 4:30pm PST).
1. Zoomerang (February, 2009)
2. Zogby Interactive Survey: 91% concerned that their identity might be stolen and used to make an unauthorized purchase; Cyber Security Industry Alliance (CSIA) survey: 95% of respondents felt that identity theft was a prime concern
3.Ponemon Institute & PGP 2008 “U.S. Cost of a Data Breach Study” (February, 2009)
4. Javelin Research, 2009 Identity Fraud Survey Report (2008 data)